Commit Graph

21 Commits

Author SHA1 Message Date
Jordan Rose d1d8929370 [analyzer] Teach ConstraintManager to ignore NonLoc <> NonLoc comparisons.
These aren't generated by default, but they are needed when either side of
the comparison is tainted.

Should fix our internal buildbot.

llvm-svn: 177846
2013-03-24 20:25:22 +00:00
Ted Kremenek 722398f1d4 Fix analyzer tests.
llvm-svn: 162588
2012-08-24 20:39:55 +00:00
Anna Zaks f0e9ca8604 [analyzer] Do not assert on constructing SymSymExpr with diff types.
The resulting type info is stored in the SymSymExpr, so no reason not to
support construction of expression with different subexpression types.

llvm-svn: 156051
2012-05-03 02:13:53 +00:00
Anna Zaks 1d3d51a6e6 [analyzer] Add a complexity bound on history tracking.
(Currently, this is only relevant for tainted data.)

llvm-svn: 156050
2012-05-03 02:13:50 +00:00
Anna Zaks 3705a1ee10 [analyzer] Change naming in bug reports "tainted" -> "untrusted"
llvm-svn: 151120
2012-02-22 02:35:58 +00:00
Anna Zaks b7eac9fbef [analyzer] Make VLA checker taint aware.
Also, slightly modify the diagnostic message in ArrayBound and DivZero (still use 'taint', which might not mean much to the user, but plan on changing it later).

llvm-svn: 148626
2012-01-21 05:07:33 +00:00
Ted Kremenek e7b9d4342b Tighten format string diagnostic and make it a bit clearer (and a bit closer to GCC's).
llvm-svn: 148579
2012-01-20 21:52:58 +00:00
Anna Zaks 8298af85a6 [analyzer] Add taint awareness to DivZeroChecker.
llvm-svn: 148566
2012-01-20 20:28:31 +00:00
Anna Zaks 3b754b25bd [analyzer] Add socket API as a source of taint.
llvm-svn: 148518
2012-01-20 00:11:19 +00:00
Anna Zaks 560dbe9ac9 [analyzer] Taint: warn when tainted data is used to specify a buffer
size (Ex: in malloc, memcpy, strncpy..)

(Maybe some of this could migrate to the CString checker. One issue
with that is that we might want to separate security issues from
regular API misuse.)

llvm-svn: 148371
2012-01-18 02:45:11 +00:00
Anna Zaks 5d324e509c [analyzer] Taint: add taint propagation rules for string and memory copy
functions.

llvm-svn: 148370
2012-01-18 02:45:07 +00:00
Anna Zaks 0244cd7450 [analyzer] Taint: add system and popen as undesirable sinks for taint
data.

llvm-svn: 148176
2012-01-14 02:48:40 +00:00
Anna Zaks cb6d4ee793 [analyzer] Unwrap the pointers when ignoring the const cast.
radar://10686991

llvm-svn: 148081
2012-01-13 00:56:55 +00:00
Anna Zaks b3fa8d7dd1 [analyzer] Add taint transfer by strcpy & others (part 1).
To simplify the process:
Refactor taint generation checker to simplify passing the
information on which arguments need to be tainted from pre to post
visit.

Todo: We need to factor out the code that sema is using to identify the
string and memcpy functions and use it here and in the CString checker.

llvm-svn: 148010
2012-01-12 02:22:34 +00:00
Anna Zaks 126a2ef920 [analyzer] Add basic format string vulnerability checking.
We already have a more conservative check in the compiler (if the
format string is not a literal, we warn). Still adding it here for
completeness and since this check is stronger - only triggered if the
format string is tainted.

llvm-svn: 147714
2012-01-07 02:33:10 +00:00
Anna Zaks 7c96b7db96 [analyzer] CStringChecker should not rely on the analyzer generating UndefOrUnknown value when it cannot reason about the expression.
We are now often generating expressions even if the solver is not known to be able to simplify it. This is another cleanup of the existing code, where the rest of the analyzer and checkers should not base their logic on knowing ahead of the time what the solver can reason about. 

In this case, CStringChecker is performing a check for overflow of 'left+right' operation. The overflow can be checked with either 'maxVal-left' or 'maxVal-right'. Previously, the decision was based on whether the expresion evaluated to undef or not. With this patch, we check if one of the arguments is a constant, in which case we know that 'maxVal-const' is easily simplified. (Another option is to use canReasonAbout() method of the solver here, however, it's currently is protected.)

This patch also contains 2 small bug fixes:
 - swap the order of operators inside SValBuilder::makeGenericVal.
 - handle a case when AddeVal is unknown in GenericTaintChecker::getPointedToSymbol.

llvm-svn: 146343
2011-12-11 18:43:40 +00:00
Hans Wennborg b1a5e09f6f Check that arguments to a scanf call match the format specifier,
and offer fixits when there is a mismatch.

llvm-svn: 146326
2011-12-10 13:20:11 +00:00
Anna Zaks ff029b6953 [analyzer] Add more simple taint tests.
llvm-svn: 145275
2011-11-28 20:43:40 +00:00
Anna Zaks 457c68726c [analyzer] Warn when non pointer arguments are passed to scanf (only when running taint checker).
There is an open radar to implement better scanf checking as a Sema warning. However, a bit of redundancy is fine in this case.

llvm-svn: 144964
2011-11-18 02:26:36 +00:00
Anna Zaks 040ddfedc0 [analyzer] Do not conjure a symbol when we need to propagate taint.
When the solver and SValBuilder cannot reason about symbolic expressions (ex: (x+1)*y ), the analyzer conjures a new symbol with no ties to the past. This helps it to recover some path-sensitivity. However, this breaks the taint propagation.

With this commit, we are going to construct the expression even if we cannot reason about it later on if an operand is tainted.

Also added some comments and asserts.

llvm-svn: 144932
2011-11-17 23:07:28 +00:00
Anna Zaks 20829c90be [analyzer] Catch the first taint propagation implied buffer overflow.
Change the ArrayBoundCheckerV2 to be more aggressive in reporting buffer overflows
when the offset is tainted. Previously, we did not report bugs when the state was
underconstrained (not enough information about the bound to determine if there is
an overflow) to avoid false positives. However, if we know that the buffer
offset is tainted - comes in from the user space and can be anything, we should
report it as a bug.

+ The very first example of us catching a taint related bug.
This is the only example we can currently handle. More to come...

llvm-svn: 144826
2011-11-16 19:58:17 +00:00